Re: Question on SSL certificate expiry

Поиск
Список
Период
Сортировка
От Nikhil Shetty
Тема Re: Question on SSL certificate expiry
Дата
Msg-id CAFpL5Vyf0Z25seOvH3aCqAc-tzPYKUd9s4Xq9MYn1OpC9=m7Mg@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Question on SSL certificate expiry  (Tom Lane <tgl@sss.pgh.pa.us>)
Ответы Re: Question on SSL certificate expiry  (Nikhil Shetty <nikhil.dba04@gmail.com>)
Список pgsql-admin
Дерево обсуждения
Hi Tom,

We are using verify-full on both client and server. 

Server Side pg_hba.conf

hostssl all <user> <ip> cert clientcert=1


Server Side SSL

postgres=# show ssl_cert_file ;

            ssl_cert_file             

--------------------------------------

 /data/server.cert


postgres=# show ssl_ca_file ;

                 ssl_ca_file                 

---------------------------------------------

 /data/ca-cert.pem


postgres=# show ssl_key_file ;

            ssl_key_file             

-------------------------------------

 /data/server.key


Client side SSL

export PGSSLROOTCERT="ca.pem"                                       

export PGSSLMODE="verify-full"                               

export PGSSLCERT="cert.pem"

export PGSSLKEY="cert.key" 



Thanks,

Nikhil


On Thu, Jun 1, 2023 at 6:37 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Nikhil Shetty <nikhil.dba04@gmail.com> writes:
> We were using MTLS to connect to the database. We noticed that even after
> server certificates expired the client was able to connect to the database.

> 1. Doesn't postgres check the expiry date of the certificate?

Postgres does not.  The openssl library can.  The most likely
guess, on the basis of the next-to-zero details you provided,
is that the connection is succeeding via some method that doesn't
require the client to check the server's certificate --- for
instance, a completely unencrypted connection.

                        regards, tom lane

В списке pgsql-admin по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: Question on SSL certificate expiry
Следующее
От: Nikhil Shetty
Дата:
Сообщение: Re: Question on SSL certificate expiry